On September 17, 2021, the First District of the Illinois Appellate Court issued the first appellate opinion regarding the applicable statute of limitations for claims arising under Illinois’ Biometric Information Privacy Act (“BIPA”). In a mixed decision, the First District found that the limitations period could range from 1 year to as much as 5 years depending on the nature of the alleged violation at issue.
The implications of the First District’s decision are momentous, because many BIPA lawsuits are class actions. In addition to expanding the pool of potential plaintiffs, a five-year limitations period greatly increases the potential class size and, consequently, defendants’ potential damages exposure.
By way of background, Illinois enacted BIPA in 2008 after a company called Pay-by-Touch started a pilot program at Chicago-area retail stores to enable customers to pay for purchases using fingerprint scans linked to their credit cards. When Pay-by-Touch subsequently filed for bankruptcy after collecting customers’ biometric and financial account information, the bankruptcy trustee listed the customers’ biometric information as an asset and sought to sell it to pay off creditors. This motivated the Illinois legislature to enact BIPA.
BIPA contains five different subsections regulating the use of biometric information. The differences between the following five subsections were critical to the First District’s decision:
- First, anyone in possession of biometric information must develop a publicly-available retention policy.
- Second, prior to collecting any biometric information, the collecting party must disclose the purpose and length of time for which the information will be used, and obtain a release from the subject of the information.
- Third, biometric information cannot be disclosed without the authorization of the subject.
- Fourth, a party cannot profit from the sale of biometric information under any circumstances.
- Finally, a party must protect biometric information using the standard of care in the industry, and at least the same protection measures that the party uses for other personal and confidential information.
Debate Over Limitations Period
BIPA itself does not specify the applicable statute of limitations, and the plaintiff and defense bars have disagreed on the applicable limitations period. Prior to the First District’s decision, the litigation in the trial courts has centered around three potential limitations periods, including the following:
- One-year period for actions based on “publication of matter violating the right of privacy.” 735 ILCS 5/13-201;
- Two-year period for personal injuries or “statutory penalties.” 735 ILCS 5/13-202; or
- Five-year period for “all civil actions not otherwise provided for.” 735 ILCS 5/13-205.
The Subject Lawsuit
An employee sued his former employer alleging that his employer required him to clock-in for work using a biometric time clock, and that his employer violated BIPA by failing to obtain his informed consent, failing to have a retention policy, and disclosing his information to third parties such as the time clock vendor.
The plaintiff stopped working for the defendant in January 2018, and he filed suit in March 2019. The employer moved to dismiss the lawsuit, arguing that the suit was time-barred because the one-year limitations period for “publication of matter violating the right of privacy” applied. The plaintiff of course disagreed and argued that the five-year period for “civil actions not otherwise provided for” applied. The trial court agreed with the plaintiff but certified the question for interlocutory appeal.
The Appellate Court’s Decision
On appeal, the First District found that the applicable limitations period depends on which of the five BIPA subsections is at issue. More specifically, the First District found that the one-year limitations period is limited to matters involving “publication.” Using this framework, the First District found that only two of BIPA’s subsections involve publication: the prohibition of unauthorized disclosure and the prohibition of the sale of biometric information. On the other hand, the First District found that the other three requirements (the retention policy requirement, informed consent requirement, and standard of care requirement) can be violated without any publication, and therefore are subject to the five-year limitations period.
For the case at hand then, applying the First District’s decision means that the plaintiff’s allegations regarding his employer’s failure to obtain his informed consent and failure to have a retention policy were subject to the five-year limitations period and therefore timely. In contrast, the plaintiff’s allegations of unauthorized disclosure were subject to the one-year limitations period and therefore barred.
Not the Last Word
The First District’s decision likely will not be the last word on the limitations period for BIPA claims. A separate appeal regarding the limitations period for BIPA claims - Marion v. Ring Container Technologies – is pending in Illinois’ Third District. (The First District covers Chicago, and the Third District covers North-Central Illinois and Chicago’s southern suburbs). The parties to both cases are likely to seek further appeal to the Illinois Supreme Court, and the Supreme Court will have a good reason to weigh in on the novel issue, especially if the Third District reaches a contradictory decision.
It is also noteworthy that the First District’s decision did not address the potentially applicable two-year limitations period for “statutory penalties.”
Potential Legislative Reform
In addition to these appellate decisions, the Illinois legislature could also take action. In its spring term, the legislature advanced a bill out of committee that would dramatically reform BIPA. The legislature did not hold a final vote on that bill before the conclusion of its spring term, but new appellate decisions could motivate the legislature to renew the reform effort.
Octillo will continue to monitor any developments regarding BIPA and will update its guidance accordingly. Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also handle any resulting litigation.
*Attorney Advertising. Prior results do not guarantee future outcomes.